Security Check List

SAP AGNeurottstr. 16D-69190 Walldorf

R/3 Security

R/3 Security Guide : VOLUME III

Checklists

Version 2.0a : English

November 24, 1998

Checklists

Copyright

SAP AG Version 2.0a : November 24, 1998 i

Copyright

©Copyright 1998 SAP AG. All rights reserved.

No part of this documentation may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.

SAP AG further does not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within these materials. SAP AGshall not be liable for any special, indirect, incidental, or consequential damages, including without limitation, lost revenues or lost profits, which may result from theuse of these materials. The information in this documentation is subject to change without notice and does not represent a commitment on the part of SAP AG in thefuture.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft®, WINDOWS®, NT® and EXCEL® and SQL-Server® are registered trademarks of Microsoft Corporation.

IBM®, OS/2®, DB2/6000®, AIX®, OS/400® and AS/400® are a registered trademark of IBM Corporation.

OSF/Motif® is a registered trademark of Open Software Foundation.

ORACLE® is a registered trademark of ORACLE Corporation, California, USA.

INFORMIX®-OnLine for SAP is a registered trademark of Informix Software Incorporated.

UNIX® and X/Open® are registered trademarks of SCO Santa Cruz Operation.

ADABAS® is a registered trademark of Software AG.

SECUDE is a registered trademark of GMD-German National Research Center for Information Technology.

SAP®, R/2®, R/3®, RIVA®, ABAP/4®, SAPoffice®, SAPmail®, SAPaccess®, SAP-EDI®, SAP ArchiveLink®, SAP EarlyWatch®, SAP Business Workflow®,R/3 Retail® are registered trademarks of SAP AG.

SAP AG assumes no responsibility for errors or omissions in these materials.

All rights reserved.


Copyright

ii Version 2.0a : November 24, 1998 SAP AG

Checklists

Table of Contents

SAP AG Version 2.0a : November 24, 1998 iii

Table of Contents

CHAPTER 1 : INTRODUCTION .......................................................................................................................................................... 1-1

Chapter 1-1 : How to Use the R/3 Security Guide.....................................................................................................................................................................1-1

The R/3 Security Guide VOLUME III : Checklists................................................................................................................................................................1-2

Chapter 1-2 : Support and Feedback........................................................................................................................................................................................1-6

Technical Consulting Services................................................................................................................................................................................................1-6Feedback .................................................................................................................................................................................................................................1-6

CHAPTER 2 : CHECKLISTS............................................................................................................................................................... 2-1Checklist 2-1 : User Authentication........................................................................................................................................................................................2-2Checklist 2-2 : R/3 Authorization Concept .............................................................................................................................................................................2-7Checklist 2-3 : Network Infrastructure .................................................................................................................................................................................2-11Checklist 2-4 : Operating System Protection ........................................................................................................................................................................2-14Checklist 2-5 : Database Access Protection..........................................................................................................................................................................2-20Checklist 2-6 : Protecting Your Productive System (Change & Transport System) ............................................................................................................2-28Checklist 2-7 : Remote Communications (RFC & CPI-C) ...................................................................................................................................................2-31Checklist 2-8 : Secure Store & Forward Mechanisms (SSF) and Digital Signatures ...........................................................................................................2-34Checklist 2-9 : Logging and Auditing...................................................................................................................................................................................2-36Checklist 2-10 : Special Topics.............................................................................................................................................................................................2-39

INDEX ..................................................................................................................................................................................................... I-1


Table of Contents

iv Version 2.0a : November 24, 1998 SAP AG

Checklists

Chapter 1-1 : How to Use the R/3 Security Guide

SAP AG Version 2.0a : November 24, 1998 1-1

Chapter 1 : Introduction


The R/3 Security Guide consists of three separate volumes, with different levels of detail:

R/3 Security Guide VOLUME I : An Overview of R/3 Security Services

R/3 Security Guide VOLUME II : R/3 Security Services in Detail

R/3 Security Guide VOLUME III : Checklists

R/3 Security Guide VOLUME I : An Overview of R/3 Security Services

The R/3 Security Guide VOLUME I provides a general overview of the security services that we offer in R/3. With VOLUME I, you can familiarize yourself with theseservices, for example, before establishing a security policy or before installing an R/3 System.



1-2 Version 2.0a : November 24, 1998 SAP AG

R/3 Security Guide VOLUME II : R/3 Security Services in Detail

This part of the R/3 Security Guide concentrates on the technical measures involved with R/3 System security. It contains descriptions of the tasks involved, as wellas our recommendations for the various components of the R/3 System. Use VOLUME II once you have established a security policy and are ready to implement itfor your R/3 System.

R/3 Security Guide VOLUME III : Checklists

The third part of the R/3 Security Guide complements VOLUME II with checklists. You can use these checklists to record those measures that you have taken andfor assistance when reviewing and monitoring them.

Updates

We will also publish updates to the guide as necessary. These updates will also be available over SAPNet in regular intervals.

The R/3 Security Guide VOLUME III : Checklists

You are currently working with the R/3 Security Guide VOLUME III : Checklists. The prerequisites for using this volume are:

• An existing security policy

• A good understanding of the concepts and measures to take as described in the R/3 Security Guide: VOLUMES I and II.

• Time and resources

Security is not only an aspect of quality; it is also an aspect of protection. Insufficient security can result in loss of time, assets, money - or your business!Security is an investment - of both time and resources. We recommend you dedicate sufficient time and allocate ample resources to implement your securitypolicy and maintain the level of security that you desire.

Checklists



Using VOLUME III

The checklists provided in this volume are a summary of the measures that we previously described in the R/3 Security Guide: VOLUME II. We provide thesechecklists as samples of the various security items that you can consider for your security policy.

Note

Keep in mind the following points of advice:

• Regard these checklists as suggestions and examples! These checklists do not in any way represent a complete collection of items that apply toeveryone.

• Copy these checklists and modify them to comply to your individual security policy.

- Define your own priorities.

- Delete those items that do not apply to your needs.

- Add any items that you find necessary that we have not included.

• Update your checklists regularly to adjust them to changing needs.

Our Security Consulting Team is also available for assistance. See Chapter 1-2 : Support and Feedback.

Valid Releases

This version of the R/3 Security Guide applies to R/3 Releases 3.0, 3.1, and 4.0. Where applicable, references to other releases are explicitly indicated.




Typographical Information and Standard Notations

The following tables explain the meanings of the various formats, symbols, and standard notations used in the guide.

Table 1-1 : Typographical Information Used in this Guide

This text format helps you identify

Screen Text words or characters you see on the screen (this includes system messages, field names, screen titles, menu names, and menu items).

User Entry exact user input. These are words and characters you type on the keyboard exactly as they are in the documentation.

<Variable User Entry> variable user input. Pointed brackets indicate that you replace these variables with appropriate keyboard entries.

ALL CAPITALS report names, program names, transaction codes, table names, ABAP language elements, file names, and directories.

Book Title cross-references to other books or references.

KEY name keys on your keyboard. Most often, function keys (for example, F2 and the ENTER key) are represented this way.

Technical Object Name names of technical objects outside of the R/3 System (for example, UNIX or Windows NT filenames or environment variables).

This icon helps you identify

Examplean Example. Examples help clarify complicated concepts or activities.

Note a Note. Notes can contain important information like special considerations or exceptions.

Cautiona Caution. Cautions help you avoid errors such as those that could lead to data loss.

Checklists



Table 1-2 : Standard Notations used in this Guide

This Notation helps you identify

<sid>, <SID> the three character System ID; lower and upper case respectively.

<SYS> the R/3 System number

<sid>adm, <SID>ADM the R/3 System administrator at the operating system level; lower and upper case respectively.Exception: Under AS/400, the system administrator is the user <SID>OFR.




Chapter 1-2 : Support and Feedback

Technical Consulting Services

If the R/3 Security Guide does not satisfactorily answer all of your questions,or if additional questions arise, our Security Consulting Team within the SAPTechnical Consulting Services is available for assistance.

We currently offer the following services:

• Support and consulting services when establishing a company-widesecurity policy

• Security analysis services

• Individual consulting services on security in the R/3 environment

• Support services when establishing a Windows NT domain concept

• Consulting services when using the Internet Transaction Server

• CA900 Course: Technical Revision - System Security

• Workshop on the R/3 Authorization Concept

For further information, contact the Security Consulting Team at:

Tel: +49 6227 / 7-41537Fax: +49 6227 / 7-44640

For more information, see:

• Fact Sheet: Technical System Security, Material Number: 50026500, or

• OSS Note 114045: Consulting: technical system security

Feedback

We are also interested in knowing how well the R/3 Security Guide meetsyour needs. We encourage you to provide us with your comments on thecontents and quality of this guide. To do so, use the Feedback Reply Formprovided at the end of the guide and return it to us at the following address orfax number:

SAP AGCCMS & Security DepartmentPostfach 1461D-69190 WalldorfGermany

Fax: +49-6227 / 7-41198

Checklists

Chapter 2 : Checklists

Checklists



We have designed these checklists to complement those security items discussed in The R/3 Security Guide: VOLUMES I and II. However, we do not imply thatthey are a complete list that applies to your own security policy. We recommend that you modify these checklists to meet your own policy requirements. Add ordelete items as necessary, and define your own priorities.

Note

The following guidelines apply when using these checklists:

• The numbering of the checklists correspond to the chapters in The R/3 Security Guide: VOLUME II.

• The Prio. column: Define and use your own priorities.

• In the Method column, we provide you with the transaction, report, or similar instructions that apply to the security item. An entry of UP x-x-x refersto the corresponding Useful Procedure in VOLUME II.

• The following guidelines apply to using the References column:

- In the heading, we have included the corresponding chapter in the R/3 Security Guide: VOLUME II. This reference always applies to the itemsincluded in the checklist. Keep in mind that each chapter in VOLUME II also contains sources of additional information.

- Table references also refer to the corresponding table in VOLUME II.

- Where applicable, we have also included sources in the checklist that directly apply to the security items (for example, OSS Notes, a differentchapter in VOLUME II, or the R/3 Online Documentation).

• As appropriate, we have included comments in the Result / Comments column. You can use this column for your own comments as well.




Checklist 2-1 : User Authentication

Nr. Prio. Security Item Method Reference(VOL.II, Ch. 2-1)

Result / Comments

Passwords

Have you established a password policy (how complexpasswords should be, how often they should be changed,etc.)?

Have you informed your employees of the policy?

If possible, can you technically enforce the policy?

Company policy

What is your minimum length for passwords? Set the profile parameterlogin/min_password_lng.

Table 2-1-1 Default = 3

Do users have to change their passwords on a regularbasis?

Set the profile parameterlogin/password_expiration_time.

Table 2-1-1 Default = 0 (users do not have to changepasswords)

Do the system administrators and holders of other importantpositions use more complex passwords?

Complex passwords should be themaximum length and contain at least onedigit and one special character.

Do you prohibit certain character combinations (such ascompany name)?

Enter the character combinationsthat you want to prohibit in TableUSR40 (UP 2-1-1).

Do you use an external security product with R/3 forauthentication that takes place outside of the R/3 System?

Chapter 2-3

SNC User's Guide

external securityproductdocumentation

By using an external security product, youcan enforce longer passwords and youcan eliminate the need to transferpasswords over the network.

Checklists



Checklist 2-1 : User Authentication (continued)


Result / Comments

Protecting Standard Users

What R/3 clients do you have in your system?

Do you regularly monitor them to make sure that nounknown clients exist?

Display Table T000 with TransactionSM31 to obtain a list of all R/3clients.

Have you changed the default passwords for the standardusers SAP*, DDIC, SAPCPIC, and EARLYWATCH?

UP 2-1-3 You may want to lock SAPCPIC instead ofchanging its password. See below:Protecting SAPCPIC.

Do you monitor the status of your standard users regularly? Use the report RSUSR003 to ensurethat SAP* has been created in allclients and that the passwords forthe standard users have beenchanged.

OSS Note 40689

Protecting SAP*

Does SAP* exist in all clients? Report RSUSR003 Do not delete the user SAP*!

Have you deactivated it in all clients? UP 2-1-2 For information onthe profileparameter, see OSSNote 68048.

Alternative: set the profile parameterlogin/no_automatic_user_sap* orlogin/no_automatic_user_sapstar -depending on release.

Does SAP* belong to the group SUPER?

Is SAP* locked?






Result / Comments

Protecting DDIC

In which clients does DDIC exist? OSS Note 11677

OSS Note 34964

DDIC is created in clients 000 and 001during the installation process and isneeded for tasks in the installationprocess, software logistics, and certainABAP Dictionary tasks.

It is also needed in other clients forimports.

Therefore, do not delete DDIC or itsprofiles. Change its initial password!

Protecting SAPCPIC

Have you either changed SAPCPIC's password or have youlocked the user?

If you changed the password, have you adjusted theaffected programs accordingly?

If you have locked SAPCPIC, are you aware of the loss offunctions?

UP 2-1-3 OSS Note 29276

Table 2-1-3

When locking SAPCPIC, the loss offunctions depends on release - see theOSS Note 29276.

Protecting EARLYWATCH

Does the user EARLYWATCH exist only in client 066?

Is EARLYWATCH locked except for when it is needed?

Protecting the user for R/3 Online Services

If you use R/3 Online Services:

• Do you have a procedure to activate the user for R/3Online Services only when needed?

Chapter 2-10 in thesection titled R/3Online Services

OSS Note 46902

Checklists





Result / Comments

Preventing Unauthorized Logons

Do you monitor unsuccessful logon attempts on a regularbasis (daily)?

Report RSUSR006 Report RSUSR006 shows all unsuccessfullogon attempts by a known user and alluser locks.

Do you use the Security Audit Log for recording andanalyzing logon attempts?

Transactions SM18, SM19, SM20 Chapter 2-9 The Security Audit Log is available as ofRelease 4.0.

Have you set session termination after a number ofunsuccessful logon attempts?

Set the profile parameterlogin/fails_to_session_end.


Have you activated automatic logoff for idle users? Set the profile parameterrdisp/gui_auto_logout.

Table 2-1-4 Default = 0 (off)

Do you have users locked after a number of unsuccessfullogon attempts? Is the default (12) appropriate or have youchanged the value?

Set the profile parameterlogin/fails_to_user_lock.


Does your R/3 System automatically remove user locks atmidnight on the same day?

Set the profile parameterlogin/failed_user_auto_unlock.

Table 2-1-4 Default = 1 (yes)

Do you regularly check the system log for locked users?

Do your end users use screen savers with passwords?

Do you use the SAP Logon Pad instead of SAP Logon? SAP Logon Pad prevents changes to theSAP Logon configuration.

Are there other logon checks that you want to perform? Define your own logon checks in thecustomer exit SUSR0001

OSS Note 37724






Result / Comments

Security Measures When Using the Session Manager

Do you use the Session Manager under Windows NT orWindows 95 with any of the R/3 Releases 3.0E - 3.1G?

If yes, have you exchanged the slg_dll.dll?

OSS Note 80723

Security Measures When Using SAP Shortcuts

Are your front ends protected from unauthorized access? Depends on your infrastructure andoperating system.

Checklists

Checklist 2-2 : R/3 Authorization Concept




Result / Comments

Maintaining Authorizations and Profiles with the Profile Generator

Have you defined job roles for your company's job matrix?Have you specified the transactions and menu paths thateach job role needs to use?

Company policy Authorizations MadeEasy Guide, IMG, orASAP

Our Security Consulting Team offers aworkshop on the R/3 AuthorizationConcept.

Do you have defined procedures for creating andmaintaining the activity lists, profiles, and user masterrecords?

Transaction PFCG Authorizations MadeEasy Guide, IMG, orASAP

Manually Maintaining Authorizations and Profiles

As with the profile generator, have you defined job roles foryour company's job matrix?

Company policy

Have you determined the activities that each job role isallowed to perform, along with the proper authorizations?

Company policy

Do you have a standard policy for creating and assigningprofiles and authorizations?

Company policy

The Authorization Infosystem

Do you use the Authorization Infosystem to review yourauthorization plan? Do you review it on a regular basis?

Authorization Infosystem(Transaction SUIM)

Which authorizations do you consider critical? Whichprofiles contain these authorizations? Which users havethese profiles or authorizations?

Authorization Infosystem(Transaction SUIM)

Examples:

To find out which profiles contain certainauthorizations, see Profiles à List profilesby Complex Selection Criteria à Byauthorizations contained.

To users have a certain profile in theiruser master records, see Cross Referenceà Where-used lists à For profiles.




Checklist 2-2 : R/3 Authorization Concept (continued)


Result / Comments

The Authorization Infosystem (continued)

What other information do you consider important? Whichlists do you generate to provide you with this information?

Transaction SUIM For example, you can create lists for:

• Profile comparisons

• Transactions that a specific user canexecute

• Changes in the authorization profile fora user

Organizing Maintenance Tasks

Have you separated your user administration tasks intodifferent groups so that the tasks are covered and checkedby several administrators?

If you operate in a centralizedenvironment, it may be more appropriateto have a single superuser who performsall user and authorization maintenancetasks.

In a decentralized administrationenvironment, we recommend dividing thetasks so that they are covered by severaladministrators.

Do your administrators belong to the group SUPER? Only an administrator with the profileS_A.SYSTEM can change usersbelonging to the group SUPER.

Which tasks are the administrators allowed to perform andwhich are not? Which authorizations or profiles does eachadministrator have, or to which activity group does eachbelong?

Tables 2-2-1 and2-2-2

Checklists





Result / Comments

Authority Checks

Do you include authority checks in your own developments? Transaction SE93

AUTHORITY-CHECK at programlevel.

OSS Note 67766(for information onS_TCODE)

The authority check against the objectS_TCODE is automatically performed inR/3 for transaction starts over the menu orcommand line (as of Release 3.0E).

Do you assign reports to report classes? Report RSCSAUTH OSS Note 7642

Report RSCSAUTHdocumentation

Do you assign authorization groups to tables? Assign an authorization group totables in the Table TDDAT.

We do deliver a number of tables with pre-defined authorization groups.

Reducing the Scope of Authority Checks in R/3

Is it necessary to reduce the scope of authority checks?Have you carefully considered the security aspectsinvolved?

Company policy We advise you to consider this optioncarefully before suppressing authoritychecks.

How is the profile parameterauth/no_check_in_some_cases set?

Is the value set to that what you want it to be? Do you checkthe value regularly to ensure that it has not unknowinglybeen changed?






Result / Comments

Reducing the Scope of Authority Checks in R/3 (continued)

Do you reduce the scope of authority checks?

Have you carefully determined which authority checks youwant to deactivate before deactivating any?

To reduce the scope of authoritychecks:

1. Set the profile parameterauth/no_check_in_some_casesto the value 'Y'.

2. Use Transaction SU25 to copySAP defaults.

3. Use Transaction SU24 to changethe individual values.

Only use this option for individualtransactions. Do not use it for bulkchanges!

If you do reduce the scope of authority checks, then do youregularly check the deactivated authority checks to makesure that they have not unknowingly been changed?

Transaction SU24

Checklists

Checklist 2-3 : Network Infrastructure




Result / Comments

Network Topology

Have you designed your network topology with security inmind?

Company policy

How is your network topology designed? What do you havefor subnets and LANs? What servers are located in eachsubnet or LAN? Are your frontend LANs separated fromyour server LANs?

What are the security requirements on each of your subnetsor LANs?

Company policy Defining your network topology is a veryindividual process. Our SecurityConsulting Team is available forassistance.

Network Services

General Network Services

The following questions apply to general network servicesfor both Windows NT and UNIX (for example, under UNIX,the services sendmail, NFS):

• What ports are open on your servers? Which servicesare allowed on these ports?

• Have you deactivated those network services that youdo not need?

List 'open' ports with the commandnetstat -a.

Deactivate unnecessary services inthe services file.

Chapter 2-4 Services are mapped to ports in theservices file, which you can find in thefollowing paths:

• UNIX: /etc/services

• Windows NT:/winnt/system32/drivers/etc/services

Do you use static password files?




Checklist 2-3 : Network Infrastructure (continued)


Result / Comments

Network Services (continued)

SAP Network Services

The following questions apply to SAP-specific networkservices:

• What ports do you use for the various SAP networkservices (for example, SAPgui, message server,external RFC programs, and SAPlpd)?

• Do you use the SAProuter?

• Do you use Secure Network Communications (SNC)?

• Is the services file correctly configured for your SAP-specific services?

Table 2-3-1

Routers and Packet Filters

Do you use routers and packet filters? How are theyconfigured?

The Firewall and SAProuter

Is your server LAN protected with a firewall and aSAProuter?

A SAProuter alone does not protect yourR/3 network.

When using the SAProuter:

• How is your configuration file (saprouttab)configured? Does the configuration meet your securityneeds?

• Do you use logging? Do you use passwords?

OSS Note 30289

R/3 OnlineDocumentation:BC SAProuter

You can have SAProuter activties such asconnection setup and closure logged.

You can also protect access to yourSAProuter with a password.

Checklists



Checklist 2-3 : Network Infrastructure (continued)


Result / Comments

Secure Network Communications (SNC)

Do you use an external security product and SNC to provideprotection between components?

If yes:

• Which communication paths do you protect with SNC?

• What level of protection do you need for each of thevarious communication paths?

• Is your system correctly configured to provide theselevels of protection?

SNC User's Manual

external securityproductdocumentation

OSS Note 66687




Checklist 2-4 : Operating System Protection


Result / Comments

R/3 Security under UNIX

Protecting Specific UNIX Properties, Files and Services

Do you keep your SUID/SGID programs (for examplesendmail) up-to-date? Do you use versions in whichknown errors have been corrected?

Do you use a shadow password file? Does only the userroot have access to it?

Do you use the Yellow Pages (NIS) service? Have youconsidered alternatives?

Before using NIS, consider the necessityof the service. There are usuallyalternatives available and for securityreasons, we recommend that you avoidusing this service.

Do you use the Network File System (NFS) service?

If yes:

• Have you considered alternatives?

• Is NFS only used where necessary?

• Are you cautious with assigning write accesses ordistributing HOME directories?

• To which clients do you allow exports? Do you exportto "trustworthy" clients only, and are they limited innumber?

In those areas where NFS is often used(for example, for establishing a globaldirectory for application servers or in theTransport Management System), there areoften alternative solutions. Again, werecommend that you consider alternativesbefore deciding to use this service.

If you use any of these services, do you restrict their usewithin a secure LAN?

Checklists



Checklist 2-4 : Operating System Protection (continued)


Result / Comments

R/3 Security under UNIX (continued)

Protecting Specific UNIX Properties, Files and Services (continued)

Are the users root, <sid>adm, and <db><sid>protected? Is <db><sid> locked on your applicationservers?

These users should also be the only usersthat exist on your application servers andyour main instance.

Have you protected the .rhosts files for these users andany other users that you consider critical?

Empty their .rhosts files and setthe access rights to these files to'000'.

Have you deleted the file /etc/hosts.equiv or is itempty?

Are you up-to-date on security-related patches provided byyour vendor?

Setting Access Privileges for R/3 Under UNIX

How are the access rights set for SAP directories and files?Are they appropriate for your security needs?

Table 2-4-1

How is your UMASK defined? Is it appropriate for yoursecurity needs?






Result / Comments

R/3 Security Under Windows NT

Windows NT Users and Groups in an R/3 Environment

How are your local and global groups defined? To whichgroups do your users and groups belong?

Table 2-4-2 For example, R/3 administrators aregenerally members of the global groupSAP_<SID>_GlobalAdmin and the localgroup SAP_<SID>_LocalAdmin.

Do you use a domain controller? We do not recommend installing R/3 on adomain controller!

Have you disabled the standard NT user Administrator?

Have you created other users for administrative tasks?

Have you cancelled SID<ADM>'s membership in the groupsAdministrators or Domain Administrators?

Do you change its password frequently?

Are its rights restricted to R/3 instance-specific resourcesonly?

Have you cancelled SAPService<SID>'s right to Log onlocally?

Are its rights restricted to R/3 instance-specific resourcesonly?

Have you restricted the user so that it cannot logon to thesystem interactively? Have you disabled the setting changepasswd at logon?

Checklists





Result / Comments

R/3 Security Under Windows NT (continued)

R/3 in the Windows NT Domain Concept

How have you established your domain concept? Are yourR/3 resources in a different domain than your Windows NTresources (for example, the domain MASTER for WindowsNT and SAP for R/3 resources)?

The R/3 InstallationGuide for WindowsNT.

Do you use the trusted domain concept?

If yes:

• Have you considered alternatives?

• Is the trust relationship one-way? Does only the R/3domain (SAP) trust the Windows NT domain(MASTER) and not vice versa?

Protecting the R/3 Resources

Are all your R/3 servers located in the same domain?

Have you cancelled <SID>ADM's membership in theAdministrator group?

How are the access control lists for R/3 resources defined(\usr\sap\<sid>\...)?

How are your R/3 users defined (for example: as domainusers and not as local users)?

How are your global and local user groups defined?

How are their access rights defined?

Are these definitions appropriate for your security concept?






Result / Comments

R/3 Data Security Under Windows NT (continued)

Protecting the R/3 Resources (continued)

Who are your system administrators? The standard system administrators are<SID>ADM and SAPService<SID>.

What are the access rights for the file sapntstartb.exe? Only users belonging to the local groupSAP_<SID>_LocalAdmin should be ableto use the application sservmgr.exe tostart and stop the R/3 System. Thisprivilege is dependent on the access rightsfor the file sapntstartb.exe.

Can only the user who starts the R/3 System also startinternal tools such as dpmon.exe or gwmon.exe?

Do you operate with an installation of several R/3 Systems?

If yes:

• Who are your administrators?

• Do you administer the systems separately?

• Are the systems located on a single server?

• If yes:

- Are the access rights for the shared memory setcorrectly?

We suggest Full Control access rights forthe SAP_<SID>_LocalAdmin local groupsfor the file saposcol.exe (sharedmemory) when operating several R/3Systems on a single server:

Start saposcol.exe before starting R/3.

Checklists





Result / Comments

Logical Operating System Commands in R/3

Which operating system commands have you definedin R/3?

Who has the authority to maintain these commands?

Transaction SM69

Authorization object: S_RZL_ADMwith the value '01' in the field Activity.

R/3 OnlineDocumentation:BC ComputingCenter ManagementSystem à ExternalOperating SystemCommands

Who has the authority to execute these commands? Transaction SM49

Authorization object: S_LOG_COMwith the fields Command, Opsystem,and Host defined.




Checklist 2-5 : Database Access Protection


Result / Comments

General Recommendations

Have you changed the default password for SAPR3(<SID>OFR on AS/400)?

Are the USR* tables protected from all access?

Is the T000 table protected from write access?

Which other tables do you consider critical and are theyappropriately protected?(for example, SAPUSER, RFCDES, PA*, HCL*)

Access Using Database Tools

Do you access the database using R/3 tools only?

If you do use tools other than R/3 tools to access thedatabase (for example, SQL interface or Open DatabaseConnectivity):

• Have you created specific users for this purpose?

• Are their rights restricted to access rights for thenecessary tables only?

• Are their rights restricted to read-only access?

In regard to security, we do notrecommend accessing the database withtools other than R/3 tools!

If you do access the database with othertools, we cannot guarantee dataconsistency or authorization security!

Checklists



Checklist 2-5 : Database Access Protection (continued)


Result / Comments

ORACLE Under UNIX

Changing Passwords of Database Standard Users (ORACLE / UNIX)

Have you changed the passwords for the standard databaseusers?

UNIX command passwd (UP 2-5-1)

svrmgrl or sqldba

chdbpass (UP 2-5-2)

OPS$ mechanism

Table 2-5-1

Do you change <sid>adm's password regularly?

Is the file chdbpass protected from unauthorized access?

Protecting SAPDBA Operations (ORACLE / UNIX)

Do you use the expert mode for SAPDBA operations?

If yes:

• Is the password file passwd.dba protected fromunauthorized access?

Setting Access Privileges for Database-Related Files and Directories (ORACLE / UNIX)

How are the access privileges for ORACLE directories andfiles set? Do they meet your security requirements?

UNIX command chmod (UP 2-5-3) Table 2-5-2






Result / Comments

ORACLE Under UNIX (continued)

Setting Access Privileges for SAPDBA Tools (ORACLE / UNIX)

For ORACLE versions < 7.3:

• Does <sid>adm belong to the UNIX group dba?

For ORACLE versions >= 7.3:

• Does <sid>adm belong to the UNIX group oper?

ORACLE Under Windows NT

Changing Passwords of Database Standard Users (ORACLE / Windows NT)


SVRMGR30, SVRMGR23, SQLDBA72

OPS$ mechanism (UP 2-5-7)

Table 2-5-3

For which users have you assigned OPS$ users? Are theylimited in number?

UP 2-5-4, UP 2-5-5 and UP 2-5-6 OSS Note 50088

OSS Note 48736

Setting Access Rights for Database-Related Files and Directories (ORACLE / Windows NT)

Who has access to the ORACLE files and directories? Table 2-5-4 We suggest Full control access forSAP_<SID>_LocalAdmin and SYSTEMonly.

Checklists





Result / Comments

ORACLE Under Windows NT (continued)

Setting Access Rights for SAPDBA Tools (ORACLE / Windows NT)

For ORACLE versions < 7.3:

• Does <SID>ADM belong to the local groupORA_<SID>_DBA?

For ORACLE versions >= 7.3:

• Does <SID>ADM belong to the local groupORA_<SID>_OPER?

INFORMIX Under UNIX

Changing Passwords of Database Standard Users (INFORMIX / UNIX)


UNIX command passwd (UP 2-5-8) Table 2-5-5

Have you upgraded from a release prior to 2.1J/2.2D?

If yes:

• Have you deleted the environment variableINFORMIX_DB_PASSWD as well as any references to itfrom the configuration files for <sid>adm andinformix?

Setting Access Privileges for Database-Related Files and Directories (INFORMIX / UNIX)

How are the access privileges for INFORMIX directories andfiles set? Do they meet your security requirements?







Result / Comments

ADABAS

Changing Passwords of Database Standard Users (ADABAS / All)

Have you changed the passwords for the standard databaseusers? Have you updated the SAPUSER table?

CONTROL, XSQL or XQUERY(UP 2-5-10 - UP 2-5-14)

Table 2-5-7

Protecting CONTROL Operations (ADABAS / All)

Who are your CONTROL users and who are your operatorusers? Which tasks do each of them perform?

Measures Specific to ADABAS under UNIX (ADABAS / UNIX)

Have you changed the passwords for the operating systemusers?

UNIX command passwd (UP 2-5-15) Table 2-5-8

How are the access privileges for ADABAS directories andfiles set? Do they meet your security requirements?


Measures Specific to ADABAS under Windows NT (ADABAS / Windows NT)

Have you changed the password for the user <SID>ADM?

How are the access rights set for the directory%DBROOT%\config?

We suggest Full control access forAdministrators only and no access forothers.

Do you exclude access to the database with other databasetools? If yes, then are the access privileges for the directory%DBROOT% set correctly?

We suggest Full control access forAdministrators only and no access forothers.

Checklists





Result / Comments

DB2 Common Server Under UNIX (as of Release 4.0B)

Changing Passwords of Database Standard Users (DB2/CS / UNIX)


UNIX command passwd (UP 2-5-17)

DB2 control center

Table 2-5-10

R/3 OnlineDocumentation:BC SAP DatabaseAdministration: DB2common server

Do you occasionally change the value of the environmentvariable DB2DB6EKEY (or DB6EKEY, depending on release)?

If you change the value of DB2DB6EKEY,you must change it in all of the.dbenv_<hostname>.csh and.dbenv_<hostname>.sh profiles on allhosts.

After changing its value, you must alsochange <sid>adm and sapr3'spasswords.

Setting Access Privileges for Database-Related Files and Directories (DB2/CS / UNIX)

How are the access privileges for DB2/CS directories andfiles set? Do they meet your security requirements?







Result / Comments

DB2 Common Server Under Windows NT

Assigning Users and Groups (DB2/CS / Windows NT)

Do your user and group assignments correspond to ourstandard suggestions? Do they meet your securityrequirements?

Do your work with a domain controller? Do your user andgroup assignments correspond accordingly?

Table 2-5-12

Table 2-5-13

Managing the Passwords of the Database Standard Users (DB2/CS / Windows NT)

Do you change the passwords for <sid>adm and sapr3regularly? Do you use the DB2 control center for thispurpose?

DB2 control center R/3 OnlineDocumentation:BC SAP DatabaseAdministration: DB2common server

Using the DB2 control center is the onlyway to ensure consistency. We do notrecommend changing the passwords atthe operating system level.

Assigning Environment Variables (DB2/CS / Windows NT)

Do you change the value of the environment variableDB2DB6EKEY? Who is allowed to change the value of thisvariable?

UP 2-5-20 Table 2-5-15

Setting Access Privileges for Database-Related Files and Directories (DB2/CS / Windows NT)

Who has access to the DB2/CS files and directories? Table 2-5-16

Checklists





Result / Comments

DB2/400

General Description of the DB2/400 Security Concept (DB2/400)

Are you familiar with the DB2/400 security concept?

At what level of security do you operate? Use the WRKSYSVAL command tochange the security level.

We recommend running R/3 at a securitylevel of 40.

Default=40 as of V4R2; for earlierreleases, the default was 30.

Changing the Passwords for Database Standard Users (DB2/400)


CHGPWD, CHGUSRPRF (UP 2-5-21) Table 2-5-17 If you use distributed directories onmultiple AS/400s over /QFileSvr.400,you must use the same passwords on allthe AS/400s for each of the users(<SID>OPR, <SID>OFR, and SAP<nn>).




Checklist 2-6 : Protecting Your Productive System (Change & Transport System)


Result / Comments

The R/3 System Landscape

Have you separated your development, quality assurance,and productive systems?

Do you make changes (to include Customizing) only in thedevelopment system?

Do you have defined procedures for making changes andtransporting them into the productive system?

Do you use a common transport directory for transportingchanges?

If yes:

• Are all the systems that share the common transportdirectory placed in a single secure LAN?

Chapter 2-3

Do you have several R/3 Systems?

If yes:

• Are they separated into logically differentiatedlandscapes?

By separating the different R/3 Systemsinto logically differentiated landscapes,each with its own common transportdirectory, you can protect one system frombeing affected (either accidentally or onpurpose) from changes made in a differentsystem.

However, how you determine whichsystems belong to which landscapesdepends on your own priorities andinfrastructure.

Who is allowed to execute imports into the various systems?

Do you archive the transport information? OSS Note 41731 or41732

Checklists

Checklist 2-6 : Protecting Your Productive System (Change & Transport System)


Checklist 2-6 : Protecting Your Productive System (Change & Transport System) (continued)


Result / Comments

The R/3 System Landscape (continued)

Do you use the Transport Management System (TMS):

If yes:

• Who is allowed to start imports? Are the authorizationscorrectly assigned? (System Administrationauthorizations)

• Do you use a separate directory for the productivesystem? If yes, then do you transport Hot Packagesinto both directories?

Transaction STMS R/3 OnlineDocumentation:BC TransportManagement System

TMS is available as of Release 3.1H.

Configuring the System Landscape for Changes

In which systems are changes required? For which objects?

Are your systems correctly configured for changes?

Transactions SE03 and SE06

Defining the Transport Process

How is your transport path defined?

How is your transport process defined?

Either use the Transaction SE06 orTMS (as of 3.1H).

You must also enter the transportpath in the TPPARAM file at theoperating system level.




Checklist 2-6 : Protecting Your Productive System (Change & Transport System) (continued)


Result / Comments

Responsibilities and their Corresponding Authorizations in R/3

What roles have you defined for the change and transportprocess? Who can perform which tasks?

Are the appropriate authorizations assigned?

Table 2-6-1

Emergency Corrections in the Productive System

Do you avoid making changes in your productive system?

Have you ensured that nobody has transport, programming,or debugging with replace authorizations in your productivesystem?

Table 2-6-2

OSS Note 52937

OSS Note 65968

Have you defined a procedure for making emergencychanges in your productive system?

Does this procedure ensure that all changes are supervisedand double-checked?

Checklists

Checklist 2-7 : Remote Communications (RFC & CPI-C)




Result / Comments

General Security Measures

For which systems do you allow RFC access? Are thesesystems protected with the appropriate network measures(SAProuter and packet filter)?

Chapter 2-3

Do you include authority checks in your own functionmodules that can be called with RFC?

Who is authorized to maintain RFC destinations(Transaction SM59)?

Do you keep this authorization to a minimum?

The necessary authorization objectsinclude:

• S_ADMI_FCD with the value'NADM'

• S_TCODE with the value 'SM59'

Do you use RFC destinations with complete logoninformation?

If yes,

• Do you store logon information for non-dialog usersonly?

• Are their rights restricted in the target systems?

Use the program RSRFCCHK tocheck RFC destinations

You should only use this table to storenon-dialog user information. Dialog usersare prompted for their logon information atthe time of connection.

For 3.0C/D releases only:

• Have you read OSS Note 43417 and taken theappropriate measures?

OSS Note 43417




Checklist 2-7 : Remote Communications (RFC & CPI-C) (continued)


Result / Comments

General Security Measures (continued)

Do you use the RFC Software Development Kit?

Are you sure that it is not installed in your productivesystem?

Are external server programs defined in the secinfo file? Use the program RSGWLST tocheck your gateways.

Have you disabled remote monitoring of your SAPGateways?

Set the profile parametergw/monitor to 1.

OSS Note 64016

RFC Authorizations

Are you careful about assigning RFC authorizations?

When assigning RFC authorizations, do you perform a traceto find out which function groups are necessary to performan action and assign only those function groups that arenecessary in the user's authorization?

The necessary authorization objectfor using RFC is S_RFC.

UP 2-10-1 shows how to perform thetrace.

In VOLUME II, UP 2-10-1 shows how toperform a trace for ALE applications. Youcan use this procedure for other RFCapplications as well.

Trusted System Networks (RFC)

Do you use a trusted system scenario?

If yes:

• Do those systems in the scenario have the samesecurity-level requirements?

• Is the user administration and authorization conceptidentical for all systems with the trusted systemscenario?

A trusted system scenario builds a single'virtual' R/3 System. Therefore, all securityrequirements, user administration, andauthorization concept should be the samefor all systems with the trusted systemscenario.

Checklists



Checklist 2-7 : Remote Communications (RFC & CPI-C) (continued)


Result / Comments

Authorizations for External Server Programs (RFC & CPI-C)

Which external server programs are authorized to start overthe gateway? Which are authorized to register themselveson the gateway?

Have you entered them in the secinfo file? Do youregularly maintain this file?

Use the program RSGWLST tocheck your gateways.

R/3 OnlineDocumentation:BC SAPCommunication:Configuration Guideà SAP Gateway

The path and filename for this file isdefined in the profile parametergw/sec_info.

The default path and filename contained inthe parameter is:/usr/sap/<SID>/<instance>/data/secinfo.

Do you allow the execution of external operating systemcommands or external programs in batch jobsteps over thegateway?

Include an entry for the programsapxpg in the secinfo file.

Secure Network Communications for Remote Communications (RFC & CPI-C)

Do you use Secure Network Communications (SNC) and anexternal security product?

If yes:

• Do you use SNC protection for RFC and CPI-Cconnections as well? Is your system properlyconfigured?

Chapter 2-3

SNC User's Manual

Available for RFC and CPI-C as ofRelease 4.0




Checklist 2-8 : Secure Store & Forward Mechanisms (SSF) and Digital Signatures


Result / Comments

Are there any laws or regulations that apply to the area ofapplication where you want to use digital signatures? Whatare they and do you adhere to them?

Do you use an external security product for Secure Storeand Forward Mechanisms (SSF) in R/3?

OSS Note 86927

OSS Note 66687

SSF is available as of Release 4.0.

If you do use the SSF mechanisms, thenthe following sections Protecting PrivateKeys and Protecting Public Keys apply toyou.

Protecting Private Keys

Hardware Solutions

Do you use smart cards for authentication purposes?

Does each user have his or her own smart card?

Users should not share smart cards!

Software Solutions

Do you use a software solution?

Is the file or directory where the user and key information isstored protected against unauthorized access?

Protecting Public Keys

Do you (or your security product) use an address book tostore public keys?

If yes:

• Is this address book protected against unauthorizedaccess?

Checklists

Checklist 2-8 : Secure Store & Forward Mechanisms (SSF) and Digital Signatures


Checklist 2-8 : Secure Store & Forward Mechanisms (SSF) and Digital Signatures (continued)


Result / Comments

SAP Security Library (SAPSECULIB)

Protecting the R/3 Application Servers' Private Key

Is the file SAPSECU.pse protected from unauthorizedaccess?

OSS Note 110600 The file SAPSECU.pse is located in thesec subdirectory of the directorycontained in the DIR_INSTANCE profileparameter.

Normally, only <sid>adm has access tothis file.

Do you have reason to believe that this file has beentampered with?

Regenerate the application server'skey pair by:

1. Delete the files in the secdirectory.

2. Restart the application server.

Have you had to replace the R/3 application server's publickey with the above mentioned procedure? Are there anyapplications that are using the old public key forauthentication?

Re-publish the new public key to theapplications that need it.

Do you not use digital signatures in R/3? Do you want todisable SEPSECULIB?

Replace the file SAPSECU.pse withan arbitrary file and restart theapplication server.

This is only possible if you do not use anyapplications that need the application'sserver public key.

Protecting the R/3 Application Servers' Public Keys

Do you use self-signed certificates or CA-signedcertificates?

If you do not use an external securityproduct, then the R/3 application serversigns its own certificate.




Checklist 2-9 : Logging and Auditing


Result / Comments

The Audit Info System (AIS)

Do you use the Audit Info System (AIS) on a regular basis tocheck and monitor your R/3 System for security issues?

Transaction SECR OSS Note 77503

OSS Note 100609

See the OSS Notes for information on theavailability of AIS.

The Security Audit Log

Do you use the Security Audit Log to monitor security-related events in your R/3 System?

If yes:

• Do you check it on a regular basis?

Use Transaction SM19 to activatethe Security Audit Log and defineselection criteria.

Use Transaction SM20 to analyzethe contents of the Security AuditLog.

Use Transaction SM18 to delete oldaudit log files.

R/3 OnlineDocumentation:BC System Servicesà The Security AuditLog

The Security Audit Log is available as ofRelease 4.0B.

The System Log

Do you check the System Log on a regular basis to monitorfailed log-on attempts and user locks?

Transaction SM21 R/3 OnlineDocumentation:BC System Servicesà The System Log

Statistic Records

Do you use the statistic records to log user activities? Set the profile parameterstat/level.

Do you check the statistic records when necessary? Transaction STAT

Checklists

Checklist 2-9 : Logging and Auditing


Checklist 2-9 : Logging and Auditing (continued)


Result / Comments

Logging of Specific Activities

Application Logging

Do you include application logging in your owndevelopments?

Transaction SGL0

Do you check the application logs when necessary? Transaction SGL1

Workflow Execution Logging

Do you use the SAP Business Workflow analysis functionsto monitor workflow activities?

Transactions SWI2, SWI5, etc.

Logging Changes to Business Objects

Which objects do you consider critical or are susceptible toaudits? Have you activated change documents for theseobjects?

Perform the following steps:

1. Create the change document.(Transaction SCD0)

2. Activate the change document.(Transaction SE11)

3. Generate an update for theobject. (Transaction SCD0)

4. Insert the appropriate calls in thecorresponding programs.




Checklist 2-9 : Logging and Auditing (continued)


Result / Comments

Logging of Specific Activities (continued)

Logging Changes to Table Data

Which tables to you consider critical or susceptible toaudits? Have you activated table recording in general?

Have you activated table recording for those tables you wantto have logged?

Perform the following:

1. Set the rec/client profileparameter.

2. Set the Log data changes flagfor those tables you want tohave logged.

OSS Note 1916

OSS Note 112388

Logging Changes to User Master Records, Profiles, and Authorizations

Do you regularly check changes to user master records,profiles, and authorizations?

Authorization Infosystem orTransaction SU01.

Checklists

Checklist 2-10 : Special Topics




Result / Comments

R/3 Internet Application Components (IAC)

The Overall Architecture of the ITS

Do you use Internet Application Components?

Are your AGate and WGate located on separate machines?

A Secure Network Infrastructure for the ITS

How is your network infrastructure set up?

Where have you included packet filters and routers in yourinfrastructure?

Chapter 2-3

Do you use a separate system (replicated with ALE) insteadof your productive system for your Internet system?

Configuring the Server and Network Components

Protecting the Web Server

What types of communication protocols do you require (forexample, HTTP, HTTPS)?

How is your Web server configured? Have you configured itto only allow those communication protocols that yourequire?

Chapter 2-3

Chapter 2-4

Is your Web server (where the WGate is located) isolatedfrom your corporate network?




Checklist 2-10 : Special Topics (continued)


Result / Comments

R/3 Internet Application Components (IAC) (continued)

Configuring the Server and Network Components (continued)

Protecting the AGate Server

Where is your AGate located?

Is it protected from the external network with a firewall andSAProuter?

Chapter 2-3 We suggest placing your AGate withinyour internal network.

How are the TCP ports for ITS (sapavx<xx>_<INST>) inthe file /etc/services defined?

Are the port assignments identical for the WGate and AGatehosts?

Do you use the SAProuter to control the connectionbetween the WGate and the AGate?

How is your SAProuter configured for WGateßàAGatecommunications?

Do the Windows NT registry entries on the WGate hostcorrespond correctly?

Do you use other commercial firewall products to relay theTCP connection from the WGate to the AGate?

Do the Windows NT registry entries on the WGate hostcorrect?

Checklists





Result / Comments


Configuring the Server and Network Components (continued)

Protecting the R/3 Servers

Do you provide additional protection between the AGate andthe R/3 application server? (Do you have a firewall betweenthe AGate and the application server?)

OSS Note 104576

Using Security Services / Providing Privacy

Between the Web Browser and Web Server

Do you offer your services to external users, or only tointernal users?

Do you use HTTPS and X.509 certificates forcommunication between the Web browser and server?

Do you have an established corporate Certificate Authority(CA) or do you use an external CA?

How is your Web server configured? Is it configured to onlyallow connection requests that present valid browsercertificates? Which browser certificates do you accept?

Between WGate and AGate

As of ITS 2.0:

• Do you use Secure Network Communications (SNC) toprovide encryption for the connection between theWGate and AGate?

Chapter 2-3






Result / Comments


Using Security Services / Providing Privacy (continued)

Between AGate and R/3

As of ITS 2.2:

• Do you use Secure Network Communications (SNC) toprovide encryption for the connection between theAGate and R/3?

Authenticating Users

Do you have services users that are worth protecting?

If yes:

• Is the AGate protected from unauthorized access?

Protecting Session Integrity

Do you have an Internet or an Intranet infrastructure? Doyou use proxys and load balancing? To what degree do youneed to compare and verify IP addresses?

How is the following registry key defined?

• HKEY_LOCAL_MACHINE\SOFTWARE\SAP\ITS\2.0\<INST>\Connects\IPChecking

The default value is 255.255.255.255which specifies that the entire IP addressis compared. For example, a value of255.255.0.0 specifies that only the leadingfigures of the address should becompared.

Setting Security Levels

At what security level do you operate your ITS(1,2,or 3)?

To change the security level, use thecommand-line utility itsvprotect.

Checklists





Result / Comments


Declaring Allowed Applications

Do you use transactional IACs? Define a service file for thetransaction.

You can only use transactions that have acorresponding service file. Defining aservice file is part of the process ofcreating the transaction.

If you use WebRFC or WebReporting and have a release asof Release 4.5:

• Have you explicitly released those Reports, Reportingtrees and Function Modules that are accessible overthe Internet?

Transaction SMW0

If you use WebRFC or WebReporting and haveRelease 3.1H:

• Have you ran the available patch to prevent thestarting of reports that contain an empty authorizationgroup?

OSS Note 92725

If you do not use WebRFC or WebReporting, then do youwant to disable the use of WebRFC?

Delete the file SAPXGWFC.dll.

Protecting Application Link Enabling (ALE) Applications

Do you use ALE applications?

How are your ALE users set-up? What roles do you haveand who has which authorizations?

Transaction SALE

Where are your users and passwords stored? Is thisinformation protected from unauthorized access?

system-dependent ALE users and passwords are generallystored outside of the R/3 System.






Result / Comments

Protecting Application Link Enabling (ALE) Applications (continued)

Is your distribution model protected from unauthorizedaccess?

The authorization object needed tomaintain the distribution model isB_ALE_MODL.

Are authorizations in the target system for ALE users kept toa minimum?

Do you set up special users for ALE? Do they have onlyALE authorizations?

Do you avoid giving ALE authorizations to other users?

Are your ALE users in the target system type CPIC?

Do you use background processing, or immediateprocessing?

For background processing:

• What authorizations do your ALE users have? Do youavoid giving them authorizations for the receivingapplication?

For immediate processing:

• What authorizations do your ALE users have? Are theyrestricted to only those application authorizations thatthey need?

Authorization trace (UP 2-10-1)

Checklists





Result / Comments

R/3 Online Services

Are you aware of the security measures that we take atSAP? Do you take those measures that we recommend?

OSS Note 35010

OSS Note 46902

OSS Note 35493

Do you use a hardware router for the connection? Do yourestrict access authorizations for the router?

Do you use the SAProuter program?

Do you use and check the SAProuter logs?

Do you use password protected connections?

Do you use separate users for online services? Are theytailored to the type of service required? Are they set-up intest clients?

Do you monitor the activities and/or check them after asession is completed?

Transaction STAT

Do you protect your users' passwords? Use a separate channel (telephoneor separate document) to disclosepasswords.

Do not disclose users' passwords over theremote connection!

If you do have to allow access over the user <sid>adm, doyou change its password immediately afterwards?

Do you deactivate users and passwords after a session isterminated?

Do you deactivate the remote connection and close the OSSconnection after task completion?

Do you set time limits for OSS connections?






Result / Comments

Virus Protection and Integrity Checks

Do you use virus checkers? Do you keep them up-to-date?

Are your users informed of the dangers of viruses and usingunchecked programs?

Protecting Specific Tables, Authorization Objects, etc.

SAP_ALL Authorization

Have you distributed the authorizations from SAP_ALLamong various users?

Does only one user have the SAP_ALL authorization? Is thisuser's password kept secret and in a safe place? Do yousave this user only for emergencies?

SAP_NEW Authorization

Do you have a long list of SAP_NEW profiles? Review and re-establish yourauthorization concept.

Do you "clean-up" your SAP_NEW profiles after anupgrade?

Have you distributed the profiles contained in theSAP_NEW_* profiles? Have you maintained their values?

Have you deleted the SAP_NEW_* profiles after distributingand maintaining them?

Perform the following steps:

1. Delete SAP_NEW_* profiles thatyou do not need to distribute.(The profiles are alreadydistributed.)

2. Distribute the rest of theSAP_NEW_* profiles andmaintain their values.

3. Delete the profile SAP_NEW.

Checklists





Result / Comments

Protecting Specific Tables, Authorization Objects, etc. (continued)

Table T000

Do only system administrators have maintenance access forTable T000?

The necessary authorization object isS_ADMI_FCD.

Do you have a defined process for creating and maintainingclients?

Does the S_TCODE authorization object contain the tableand client maintenance transactions SCC4, SM30 andSM31?

Are the fields in the authorization object S_TABU_DIS setas indicated below?

• Field: Activity; Values: 02, 03

• Field: Authorization group; Value: SS

Is the indicator for client-independent maintenance field forthe authorization object S_TABU_CLI set to the value 'X'?

HR Tables

For Releases 3.0A-C:

• Have you explicitly assigned HR tables to theauthorization group PA?

• Have you excluded the group PA from theauthorization object S_TABU_DIS?






Result / Comments

Protecting Specific Tables, Authorization Objects, etc. (continued)

HR Authorization Profile P_BAS_ALL

Are all your HR tables assigned to either the PC or PS tableclasses?

Have your restricted the Authorization group field inP_BAS_ALL to PC and PS?

OSS Note 11796

System Profile Parameter Files

Are the system profile parameter files <SID>_<Instance>,START_<Instance>, and DEFAULT.PFL, protected formunauthorized access?

Do you regularly check their authenticity?

Checklists

Index

SAP AG Version 2.0a : November 24, 1998 I-1

Index

<

<SID>_<Instance> 2-48

A

access rightsADABAS under UNIX 2-24ADABAS under Windows NT 2-24DB2/CS under UNIX 2-25DB2/CS under Windows NT 2-26INFORMIX under UNIX 2-23ORACLE under UNIX 2-21ORACLE under Windows NT 2-22R/3 under UNIX 2-15R/3 under Windows NT 2-18Windows NT 2-16

activity lists 2-7ADABAS 2-24address books 2-34AGate 2-39, 2-40, 2-41, 2-42AIS

see Audit Info SystemALE

see Application Link EnablingApplication Link Enabling 2-43, 2-44application logging 2-37Audit Info System 2-36auditing 2-36, 2-37, 2-38auth/no_check_in_some_cases 2-9authentication 2-2

ITS 2-42authority checks 2-9

reducing the scope of 2-9, 2-10authorization concept 2-7Authorization Infosystem 2-7, 2-8, 2-38authorization objects

B_ALE_MODL 2-44RZL_ADM 2-19S_ADMI_FCD 2-31, 2-47S_LOG_COM 2-19S_RFC 2-32S_TABU_CLI 2-47S_TABU_DIS 2-9, 2-47S_TCODE 2-47

authorization profilesP_BAS_ALL 2-48

authorization trace 2-44authorizations 2-7, 2-8

ALE users 2-44maintenance tasks 2-8R/3 user administrators 2-8S_TCODE 2-31SAP_ALL 2-46SAP_NEW 2-46

automatic logoff 2-5

C

CAsee Certificate Authority

Certificate Authority 2-35, 2-41certificates 2-35, 2-41Change and Transport System 2-28change documents 2-37change options 2-29

chdbpass 2-21common transport directory 2-28CPI-C 2-31, 2-32, 2-33

authorizations 2-33

D

database security 2-20ADABAS 2-24DB tools 2-20DB2/400 2-27DB2/CS under UNIX 2-25DB2/CS under Windows NT 2-26general 2-20INFORMIX under UNIX 2-23ORACLE under UNIX 2-21, 2-22ORACLE under Windows NT 2-22, 2-23

DB2 control center 2-25, 2-26DB2/400 2-27DB2/CS under UNIX 2-25DB2/CS under Windows NT 2-26DB2DB6EKEY 2-25, 2-26DDIC 2-4DEFAULT.PFL 2-48development system 2-28digital signatures 2-34, 2-35DIR_INSTANCE 2-35distribution model 2-44domain concept 2-17domain controller 2-16

E

EARLYWATCH 2-4


Index

I-2 Version 2.0a : November 24, 1998 SAP AG

encryptionITS 2-41

etc/services 2-11, 2-40external server programs 2-32

F

feedback 1-6firewalls 2-12, 2-40

G

gateways 2-32, 2-33gw/monitor 2-32gw/sec_info 2-33

H

HR tables 2-47http/https 2-39, 2-41

I

IACsee Internet Application Components

INFORMIXUNIX 2-23

INFORMIX_DB_PASSWD 2-23Infosystem 2-7, 2-8Internet 2-39Internet Application Components

2-39, 2-40, 2-41, 2-42, 2-43Internet Transaction Server 2-39

security levels 2-42ITS

see Internet Transaction Serveritsvprotect 2-42

J

job roles 2-7

L

locks 2-5, 2-36logging 2-36, 2-37, 2-38logging changes to business objects 2-37logging changes to profiles or authorizations 2-38logging changes to table data 2-38logging changes to user master records 2-38login/failed_user_auto_unlock 2-5login/fails_to_session_end 2-5login/fails_to_user_lock 2-5login/min_password_lng 2-2login/no_automatic_user_sap* 2-3login/no_automatic_user_sapstar 2-3login/password_expiration_time 2-2logon attempts 2-5, 2-36

N

Network File System (NFS) 2-14network infrastructure 2-11, 2-12, 2-13network security 2-11, 2-12, 2-13network services 2-11, 2-12networks

firewalls 2-12, 2-40Internet 2-39ITS 2-40packet filters 2-12, 2-31, 2-39routers 2-12, 2-39SAProuter 2-12, 2-31, 2-40

notations 1-4

O

operating system commands 2-19operating system security

logical operating system commands in R/3 2-19UNIX 2-14, 2-15Windows NT 2-16, 2-17, 2-18

OPS$ mechanismWindows NT 2-22

OPS$mechanismUNIX 2-21

ORACLEUNIX 2-21, 2-22Windows NT 2-22

P

P_BAS_ALL 2-48packet filters 2-12, 2-31, 2-39passwd.dba 2-21password policy 2-2passwords 2-2, 2-12

ADABAS 2-24ALE users 2-43DB2/400 2-27DB2/CS under UNIX 2-25DB2/CS under Windows NT 2-26INFORMIX under UNIX 2-23ORACLE under UNIX 2-21ORACLE under Windows NT 2-22OSS service users 2-45SAPR3 2-20UNIX 2-14Windows NT 2-16

priorities 2-1private keys 2-34, 2-35productive system 2-28

emergency changes 2-30profile generator 2-7profile parameter

login/min_password_lng 2-2login/password_expiration_time 2-2

profile parametersauth/no_check_in_some_cases 2-9DIR_INSTANCE 2-35

Checklists

Index

SAP AG Version 2.0a : November 24, 1998 I-3

gw/monitor 2-32gw/sec_info 2-33login/failed_user_auto_unlock 2-5login/fails_to_session_end 2-5login/fails_to_user_lock 2-5login/no_automatic_user_sap* 2-3login/no_automatic_user_sapstar 2-3rdisp/gui_auto_logout 2-5rec/client 2-38stat/level 2-36

profiles 2-7public keys 2-34, 2-35

Q

quality assurance system 2-28

R

R/3 Online Services 2-4, 2-45R/3 resources

Windows NT 2-17, 2-18rec/client 2-38references 2-1releases

valid 1-3remote communications 2-31, 2-32, 2-33report classes 2-9reports

RSCSAUTH 2-9RSUSR003 2-3RSUSR006 2-5

RFC 2-31, 2-32, 2-33authorizations 2-32Secure Network Communications 2-33trusted systems 2-32

RFC Software Development Kit 2-32routers 2-12, 2-39

RSGWLST 2-32, 2-33RSRFCCHK 2-31

S

SAP Business Workflow 2-37SAP Gateways 2-32SAP Logon Pad 2-5SAP Security Library 2-35SAP Shortcuts 2-6SAP* 2-3SAP_ALL 2-46SAP_NEW 2-46sapavx<xx>_<INST> 2-40SAPCPIC 2-4SAPDBA 2-22

ORACLE under UNIX 2-21ORACLE under Windows NT 2-23

sapntstartb.exe 2-18saposcol.exe 2-18SAProuter 2-12, 2-31, 2-40, 2-45

logging 2-12passwords 2-12

saprouttab 2-12SAPSECU.pse 2-35SAPSECULIB

see SAP Security LibrarySAPXGWFC.dll 2-43sapxpg 2-33screen savers 2-5secinfo 2-32, 2-33Secure Network Communications

2-2, 2-12, 2-13, 2-33, 2-41, 2-42Secure Store and Forward 2-34, 2-35Security Audit Log 2-5, 2-36security consulting 1-3, 1-6, 2-7security policy 1-1security products 2-2, 2-13, 2-33, 2-34, 2-35

Session Manager 2-6session termination 2-5slg_dll.dll 2-6smart cards 2-34SNC

see Secure Network CommunicationsSSF

see Secure Store and Forwardstandard users 2-3

DDIC 2-4EARLYWATCH 2-4passwords 2-3SAP* 2-3SAPCPIC 2-3, 2-4

START_<Instance> 2-48stat/level 2-36statistic records 2-36SUID/SGID programs 2-14support 1-6SUSR0001 2-5system landscape 2-28, 2-29system log 2-5, 2-36system profile parameters 2-48

T

table classes 2-9table recording 2-38Table T000 2-47tables

HCL* 2-20PA* 2-20RFCDES 2-20SAPUSER 2-20T000 2-3, 2-20, 2-47TDDAT 2-9USR* 2-20USR40 2-2


Index

I-4 Version 2.0a : November 24, 1998 SAP AG

TCP ports 2-40technical consulting services 1-3, 1-6

see also security consultingTPPARAM 2-29transactions

PFCG 2-7SALE 2-43SCC4 2-47SCD0 2-37SE03 2-29SE06 2-29SE11 2-37SE93 2-9SECR 2-36SGL0 2-37SGL1 2-37SM18 2-5, 2-36SM19 2-5, 2-36SM20 2-5, 2-36SM21 2-36SM30 2-47SM31 2-3, 2-47SM49 2-19SM59 2-31SM69 2-19SMW0 2-43

STAT 2-36, 2-45STMS 2-29SU01 2-38SU24 2-10SU25 2-10SUIM 2-7SWI2 2-37SWI5 2-37

Transport Management System 2-29transports 2-28trusted domain concept 2-17trusted systems - RFC 2-32

U

umask 2-15UNIX 2-14, 2-15

Network File System (NFS) 2-14Yellow Pages (NIS) 2-14

user authentication 2-2ITS 2-42

user locks 2-5, 2-36user master records 2-7users

DDIC 2-4EARLYWATCH 2-4R/3 Online Services 2-4

SAP* 2-3SAPCPIC 2-4Windows NT administrators 2-16

V

viruses 2-46

W

Web browser 2-41Web server 2-39, 2-41WebReporting 2-43WebRFC 2-43WGate 2-39, 2-40, 2-41Windows NT 2-16, 2-17, 2-18

access rights 2-16domain concept 2-17domain controller 2-16R/3 resources 2-17, 2-18R/3 users and groups 2-16trusted domain concept 2-17

workflow execution logging 2-37WRKSYSVAL 2-27

Y

Yellow Pages (NIS) 2-14

R/3 Security Services in Detail

R/3 Security Guide / Feedback Reply Form

SAP AG Version 2.0a : November 24, 1998 Feedback

R/3 Security Guide / Feedback Reply Form

To:

SAP AGCCMS & Security DepartmentPostfach 1461D-69190 WalldorfGermany

Fax: +49-6227 / 7-41198

From:

Name: .........................................................................................

Position: .........................................................................................

Dept.: .........................................................................................

Company: .........................................................................................

Address: .........................................................................................

.........................................................................................

Telephone: ................................................Fax: .................................

email: .........................................................................................

Subject: Feedback to the R/3 Security GuideFeedback applies to: R/3 Security Guide, Volume ................ Version .................... Chapter ...............................

R/3 Release ..................... Database: ....................... Operating System ...............................

Were you able to find theinformation you needed in theguide?

¡ Yes

¡ No

How well does the R/3 SecurityGuidemeet your needs?

¡ Very well

¡ Well

¡ Not very well

¡ Not at all

Why or why not?(Use space below.)

Are you?

¡ Requesting furtherinformation

¡ Reporting additionalinformation

¡ Reporting missinginformation

¡ Reporting an error

¡ Other

Feedback (use additional pages if necessary):

...........................................................................................................................................................................................

...........................................................................................................................................................................................

...........................................................................................................................................................................................

...........................................................................................................................................................................................

...........................................................................................................................................................................................

...........................................................................................................................................................................................

...........................................................................................................................................................................................

...........................................................................................................................................................................................

...........................................................................................................................................................................................

...........................................................................................................................................................................................

...........................................................................................................................................................................................

Thank you for your information.

Documents

Security Check List